Issue

After upgrading a CQ5.2.1 authoring instance to 5.3, members of the user-administrators group cannot administer users and groups anymore

Cause

The default ACL setup for the /home branch where users and groups are stored has been simplified with CQ5.3. The upgrade mechanism from CQ5.2.1 to CQ5.3 does not take this into account, leaving an inconsistent ACL setup which basically renders the user-administration capabilities of the user-administrators group ineffective.

Resolution

Attached to this article is a CQ5 content package containing a script which restores the ability to administer users/groups for members of the default user-administrators group.

Make sure to have a backup of the upgraded instance before applying the following steps: